CVE-2010-2273: XSS
First published: Mon Jun 14 2010(Updated: )
Multiple cross-site scripting (XSS) vulnerabilities in Dojo 1.0.x before 1.0.3, 1.1.x before 1.1.2, 1.2.x before 1.2.4, 1.3.x before 1.3.3, and 1.4.x before 1.4.2 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, possibly related to dojo/resources/iframe_history.html, dojox/av/FLAudio.js, dojox/av/FLVideo.js, dojox/av/resources/audio.swf, dojox/av/resources/video.swf, util/buildscripts/jslib/build.js, and util/buildscripts/jslib/buildUtil.js, as demonstrated by the (1) dojoUrl and (2) testUrl parameters to util/doh/runner.html.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Dojo Toolkit | =1.0 | |
| Dojo Toolkit | =1.0.1 | |
| Dojo Toolkit | =1.0.2 | |
| Dojo Toolkit | =1.1 | |
| Dojo Toolkit | =1.1.1 | |
| Dojo Toolkit | =1.2 | |
| Dojo Toolkit | =1.2.1 | |
| Dojo Toolkit | =1.2.2 | |
| Dojo Toolkit | =1.2.3 | |
| Dojo Toolkit | =1.3 | |
| Dojo Toolkit | =1.3.1 | |
| Dojo Toolkit | =1.3.2 | |
| Dojo Toolkit | =1.4 | |
| Dojo Toolkit | =1.4.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www-1.ibm.com/support/docview.wss?uid=swg1LO50896
- http://www-1.ibm.com/support/docview.wss?uid=swg1LO50994
- http://dojotoolkit.org/blog/post/dylan/2010/03/dojo-security-advisory/
- http://secunia.com/advisories/40007
- http://www.vupen.com/english/advisories/2010/1281
- http://bugs.dojotoolkit.org/ticket/10773
- http://www-1.ibm.com/support/docview.wss?uid=swg1LO50856
- http://secunia.com/advisories/38964
- http://www-01.ibm.com/support/docview.wss?uid=swg21431472
- http://www-1.ibm.com/support/docview.wss?uid=swg1LO50849
- http://www.gdssecurity.com/l/b/2010/03/12/multiple-dom-based-xss-in-dojo-toolkit-sdk/
- http://www-1.ibm.com/support/docview.wss?uid=swg1LO50833
- http://www-1.ibm.com/support/docview.wss?uid=swg1LO50958
- http://www-1.ibm.com/support/docview.wss?uid=swg1LO50932
Frequently Asked Questions
What is the severity of CVE-2010-2273?
CVE-2010-2273 has a moderate severity level due to its ability to allow cross-site scripting attacks.
How do I fix CVE-2010-2273?
To fix CVE-2010-2273, you should upgrade to Dojo versions 1.0.3, 1.1.2, 1.2.4, 1.3.3, or 1.4.2 or later.
What types of vulnerabilities are associated with CVE-2010-2273?
CVE-2010-2273 is associated with multiple cross-site scripting (XSS) vulnerabilities.
Which versions of Dojo are affected by CVE-2010-2273?
CVE-2010-2273 affects Dojo versions 1.0.x up to 1.0.2, 1.1.x up to 1.1.1, 1.2.x up to 1.2.3, 1.3.x up to 1.3.2, and 1.4.x up to 1.4.1.
What is the impact of CVE-2010-2273 on web applications?
The impact of CVE-2010-2273 on web applications includes the potential for attackers to inject arbitrary web scripts or HTML, leading to a compromise of user data.
- agent/references
- agent/type
- agent/severity
- agent/author
- agent/remedy
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/source
- agent/weakness
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-historical
- vendor/dojotoolkit
- canonical/dojo toolkit
- version/dojo toolkit/1.0
- version/dojo toolkit/1.0.1
- version/dojo toolkit/1.0.2
- version/dojo toolkit/1.1
- version/dojo toolkit/1.1.1
- version/dojo toolkit/1.2
- version/dojo toolkit/1.2.1
- version/dojo toolkit/1.2.2
- version/dojo toolkit/1.2.3
- version/dojo toolkit/1.3
- version/dojo toolkit/1.3.1
- version/dojo toolkit/1.3.2
- version/dojo toolkit/1.4
- version/dojo toolkit/1.4.1